file location adjustments

disko may not be required here depending on the fact we are leveraging
lxc containers

configurations/nixos/tofu/configuration.nix

@@ -2,35 +2,17 @@
 {
   disko.devices.disk.main.device = "/dev/vda";
 
-  users.users.admin = {
-    isNormalUser = true;
-
-    name = "sky";
-    extraGroups = [
-      "wheel"
-      "networkmanager"
-      "video"
-      "input"
-    ];
-    uid = 1000;
-    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
-  };
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA9i9HoP7X8Ufzz8rAaP7Nl3UOMZxQHMrsnA5aEQfpTyIQ1qW68jJ4jGK5V6Wv27MMc3czDU1qfFWIbGEWurUHQ="
-  ];
-  services.tailscale = {
-    enable = true;
-  };
   services.tty-ips.enable = true;
-  networking.yggdrasil.enable = true;
+  networking.yggdrasil = {
-  networking.yggdrasil.AllowedPublicKeys = [
+    enable = true;
-    "d0e265fcf663451ae9bc048dc1297749819ce9d48042a986f2866c15a779a074"
+    AllowedPublicKeys = [
-  ];
+      "d0e265fcf663451ae9bc048dc1297749819ce9d48042a986f2866c15a779a074"
-  virtualisation.incus.agent.enable = true;
+    ];
+  };
   nixpkgs.hostPlatform = "x86_64-linux";
   networking.hostName = "smultiboi";
   environment.systemPackages = [
-    pkgs.otf
+    # pkgs.otf
   ];
   # Used for backwards compatibility, please read the changelog before changing.
   # $ darwin-rebuild changelog

configurations/nixos/tofu/default.nix

@@ -1,6 +1,6 @@
 # See /modules/nixos/* for actual settings
 # This file is just *top-level* configuration.
-{ flake, ... }:
+{ flake, modulesPath, ... }:
 
 let
   inherit (flake) inputs;
@@ -9,6 +9,7 @@ in
 {
   imports = [
     self.nixosModules.default
+    "${modulesPath}/virtualisation/lxc-container.nix"
     ./configuration.nix
     ./hardware-configuration.nix
     ./disko.nix

modules/nixos/common/default.nix

@@ -6,4 +6,9 @@
     ++ [
       flake.inputs.disko.nixosModules.default
     ];
+
+  nixpkgs.overlays = [ flake.inputs.self.overlays.default ];
+  services.tailscale = {
+    enable = true;
+  };
 }

modules/nixos/common/otf.nix

@@ -0,0 +1,91 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.services.otf;
+in
+{
+  options.services.otf = {
+    enable = lib.mkEnableOption "Open Terraform Framework";
+    # It is important to expose the datadirectory to the user so we make it a reusable option
+    dataDir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/otf";
+      description = "Directory to store OTF data.";
+    };
+    package = lib.mkPackageOption pkgs "otf" { };
+    pgPackage = lib.mkPackageOption pkgs "postgresql_16" { };
+    # this application is configured entirely by environment variables and needs to be exposed
+    environment = lib.mkOption {
+      type =
+        with lib.types;
+        attrsOf (
+          nullOr (oneOf [
+            str
+            path
+            package
+          ])
+        );
+      default = {
+        OTF_ADDRESS = "localhost:9000";
+        OTF_SITE_TOKEN = "my-token";
+        OTF_SSL = "false";
+        # the application needs a secret for encryption and other things
+        # TODO: make mechanism to load via file
+        OTF_SECRET = "f73e55eada59bd1c37d69ae3bbacd982";
+        # more options can be set but these are a reminder for myself
+        OTF_CERT_FILE = "";
+        OTF_KEY_FILE = "";
+      };
+      description = "Environment variables for the OTF service.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # it is best for this project to have a dedicated user for database access
+    users.groups.otf = { };
+    users.users.otf = {
+      isSystemUser = true;
+      home = cfg.dataDir;
+      createHome = true;
+      group = "otf";
+    };
+
+    services.postgresql = {
+      enable = true;
+      # this lets us set the package
+      # TODO: expose to end user
+      package = cfg.pgPackage;
+      # This enabled autoconfig of both a database and a user of the same name
+      ensureDatabases = [ "otf" ];
+      ensureUsers = [
+        {
+          name = "otf";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    systemd.services.otf = {
+      description = "Open Terraform Framework";
+      after = [
+        "network.target"
+        "postgresql.service"
+      ];
+      requires = [ "postgresql.service" ];
+      wantedBy = [ "multi-user.target" ];
+      inherit (cfg) environment;
+      serviceConfig = {
+        User = "otf";
+        Group = "otf";
+        WorkingDirectory = cfg.dataDir;
+        ExecStart = "${cfg.package}/bin/otfd";
+        Restart = "on-failure";
+      };
+    };
+  };
+}

modules/nixos/common/ssh.nix

@@ -1,4 +1,5 @@
 _: {
+  services.openssh.enable = true;
   security = {
     sudo.execWheelOnly = true;
     pam = {

modules/nixos/common/users.nix

@@ -0,0 +1,22 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+{
+  users.users.root.openssh.authorizedKeys.keys =
+    with config.users.users;
+    sky.openssh.authorizedKeys.keys;
+  users.users.sky = {
+    isNormalUser = true;
+    name = "sky";
+    extraGroups = [
+      "wheel"
+    ];
+    uid = 1000;
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA9i9HoP7X8Ufzz8rAaP7Nl3UOMZxQHMrsnA5aEQfpTyIQ1qW68jJ4jGK5V6Wv27MMc3czDU1qfFWIbGEWurUHQ="
+    ];
+  };
+}

modules/nixos/default.nix

@@ -5,6 +5,5 @@
   imports = [
     flake.inputs.self.nixosModules.common
   ];
-  services.openssh.enable = true;
+
-  nixpkgs.overlays = [ flake.inputs.self.overlays.default ];
 }